1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
|
.TH NSJAIL "1" "August 2017" "nsjail" "User Commands"
\"
.SH NAME
nsjail \- process isolation tool for linux
\"
.SH SYNOPSIS
\fInsjail\fP [options] \fB\-\-\fR path_to_command [args]
\"
.SH DESCRIPTION
NsJail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel
\"
.SH Options
.TP
\fB\-\-help\fR|\fB\-h\fR Help plz..
.TP
\fB\-\-mode\fR|\fB\-M\fR VALUE
Execution mode (default: o [MODE_STANDALONE_ONCE]):
.IP
\fBl\fR: Wait for connections on a TCP port (specified with \fB\-\-port\fR) [MODE_LISTEN_TCP]
.PP
.IP
\fBo\fR: Launch a single process on the console using clone/execve [MODE_STANDALONE_ONCE]
.PP
.IP
\fBe\fR: Launch a single process on the console using execve [MODE_STANDALONE_EXECVE]
.PP
.IP
\fBr\fR: Launch a single process on the console with clone/execve, keep doing it forever [MODE_STANDALONE_RERUN]
.PP
.TP
\fB\-\-config\fR|\fB\-C\fR VALUE
Configuration file in the config.proto ProtoBuf format (see configs/ directory for examples)
.TP
\fB\-\-exec_file\fR|\fB\-x\fR VALUE
File to exec (default: argv[0])
.TP
\fB\-\-execute_fd\fR
Use execveat() to execute a file-descriptor instead of executing the binary path. In such case argv[0]/exec_file denotes a file path before mount namespacing
.TP
\fB\-\-chroot\fR|\fB\-c\fR VALUE
Directory containing / of the jail (default: none)
.TP
\fB\-\-rw\fR
Mount chroot dir (/) R/W (default: R/O)
.TP
\fB\-\-user\fR|\fB\-u\fR VALUE
Username/uid of processes inside the jail (default: your current uid). You can also use inside_ns_uid:outside_ns_uid:count convention here. Can be specified multiple times
.TP
\fB\-\-group\fR|\fB\-g\fR VALUE
Groupname/gid of processes inside the jail (default: your current gid). You can also use inside_ns_gid:global_ns_gid:count convention here. Can be specified multiple times
.TP
\fB\-\-hostname\fR|\fB\-H\fR VALUE
UTS name (hostname) of the jail (default: 'NSJAIL')
.TP
\fB\-\-cwd\fR|\fB\-D\fR VALUE
Directory in the namespace the process will run (default: '/')
.TP
\fB\-\-port\fR|\fB\-p\fR VALUE
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
.TP
\fB\-\-bindhost\fR VALUE
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
.TP
\fB\-\-max_conns\fR VALUE
Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
.TP
\fB\-\-max_conns_per_ip\fR|\fB\-i\fR VALUE
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
.TP
\fB\-\-log\fR|\fB\-l\fR VALUE
Log file (default: use log_fd)
.TP
\fB\-\-log_fd\fR|\fB\-L\fR VALUE
Log FD (default: 2)
.TP
\fB\-\-time_limit\fR|\fB\-t\fR VALUE
Maximum time that a jail can exist, in seconds (default: 600)
.TP
\fB\-\-max_cpus\fR VALUE
Maximum number of CPUs a single jailed process can use (default: 0 'no limit')
.TP
\fB\-\-daemon\fR|\fB\-d\fR
Daemonize after start
.TP
\fB\-\-verbose\fR|\fB\-v\fR
Verbose output
.TP
\fB\-\-quiet\fR|\fB\-q\fR
Log warning and more important messages only
.TP
\fB\-\-really_quiet\fR|\fB\-Q\fR
Log fatal messages only
.TP
\fB\-\-keep_env\fR|\fB\-e\fR
Pass all environment variables be passed process (default: all envars are cleared)
.TP
\fB\-\-env\fR|\fB\-E\fR VALUE
Additional environment variable (can be used multiple times). If the envar doesn't contain '=' (e.g. just the 'DISPLAY' string), the current envar value will be used
.TP
\fB\-\-keep_caps\fR
Don't drop any capabilities
.TP
\fB\-\-cap\fR VALUE
Retain this capability, e.g. CAP_PTRACE (can be specified multiple times)
.TP
\fB\-\-silent\fR
Redirect child process' fd:0/1/2 to /dev/null
.TP
\fB\-\-stderr_to_null\fR
Redirect FD=2 (STDERR_FILENO) to /dev/null
.TP
\fB\-\-skip_setsid\fR
Don't call setsid(), allows for terminal signal handling in the sandboxed process. Dangerous
.TP
\fB\-\-pass_fd\fR VALUE
Don't close this FD before executing the child process (can be specified multiple times), by default: 0/1/2 are kept open
.TP
\fB\-\-disable_no_new_privs\fR
Don't set the prctl(NO_NEW_PRIVS, 1) (DANGEROUS)
.TP
\fB\-\-rlimit_as\fR VALUE
RLIMIT_AS in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 4096)
.TP
\fB\-\-rlimit_core\fR VALUE
RLIMIT_CORE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current limit, 'inf' for RLIM_INFINITY (default: 0)
.TP
\fB\-\-rlimit_cpu\fR VALUE
RLIMIT_CPU, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 600)
.TP
\fB\-\-rlimit_fsize\fR VALUE
RLIMIT_FSIZE in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 1)
.TP
\fB\-\-rlimit_nofile\fR VALUE
RLIMIT_NOFILE, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current limit, 'inf' for RLIM_INFINITY (default: 32)
.TP
\fB\-\-rlimit_nproc\fR VALUE
RLIMIT_NPROC, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 'soft')
.TP
\fB\-\-rlimit_stack\fR VALUE
RLIMIT_STACK in MB, 'max' or 'hard' for the current hard limit, 'def' or 'soft' for the current soft limit, 'inf' for RLIM_INFINITY (default: 'soft')
.TP
\fB\-\-disable_rlimits\fR
Disable all rlimits, default to limits set by parent
.TP
\fB\-\-persona_addr_compat_layout\fR
personality(ADDR_COMPAT_LAYOUT)
.TP
\fB\-\-persona_mmap_page_zero\fR
personality(MMAP_PAGE_ZERO)
.TP
\fB\-\-persona_read_implies_exec\fR
personality(READ_IMPLIES_EXEC)
.TP
\fB\-\-persona_addr_limit_3gb\fR
personality(ADDR_LIMIT_3GB)
.TP
\fB\-\-persona_addr_no_randomize\fR
personality(ADDR_NO_RANDOMIZE)
.TP
\fB\-\-disable_clone_newnet\fR|\-N
Don't use CLONE_NEWNET. Enable global networking inside the jail
.TP
\fB\-\-disable_clone_newuser\fR
Don't use CLONE_NEWUSER. Requires euid==0
.TP
\fB\-\-disable_clone_newns\fR
Don't use CLONE_NEWNS
.TP
\fB\-\-disable_clone_newpid\fR
Don't use CLONE_NEWPID
.TP
\fB\-\-disable_clone_newipc\fR
Don't use CLONE_NEWIPC
.TP
\fB\-\-disable_clone_newuts\fR
Don't use CLONE_NEWUTS
.TP
\fB\-\-disable_clone_newcgroup\fR
Don't use CLONE_NEWCGROUP. Might be required for kernel versions < 4.6
.TP
\fB\-\-uid_mapping\fR|\fB\-U\fR VALUE
Add a custom uid mapping of the form inside_uid:outside_uid:count. Setting this requires newuidmap (set-uid) to be present
.TP
\fB\-\-gid_mapping\fR|\fB\-G\fR VALUE
Add a custom gid mapping of the form inside_gid:outside_gid:count. Setting this requires newgidmap (set-uid) to be present
.TP
\fB\-\-bindmount_ro\fR|\fB\-R\fR VALUE
List of mountpoints to be mounted \fB\-\-bind\fR (ro) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
.TP
\fB\-\-bindmount\fR|\fB\-B\fR VALUE
List of mountpoints to be mounted \fB\-\-bind\fR (rw) inside the container. Can be specified multiple times. Supports 'source' syntax, or 'source:dest'
.TP
\fB\-\-tmpfsmount\fR|\fB\-T\fR VALUE
List of mountpoints to be mounted as tmpfs (R/W) inside the container. Can be specified multiple times. Supports 'dest' syntax. Alternatively, use '-m none:dest:tmpfs:size=8388608'
.TP
\fB\-\-mount\fR|\fB\-m\fR VALUE
Arbitrary mount, format src:dst:fs_type:options
.TP
\fB\-\-symlink\fR|\f\B\-s\fR VALUE
Symlink, format src:dst
.TP
\fB\-\-disable_proc\fR
Disable mounting procfs in the jail
.TP
\fB\-\-proc_path\fR VALUE
Path used to mount procfs (default: '/proc')
.TP
\fB\-\-proc_rw\fR
Is procfs mounted as R/W (default: R/O)
.TP
\fB\-\-seccomp_policy\fR|\fB\-P\fR VALUE
Path to file containing seccomp\-bpf policy (see kafel/)
.TP
\fB\-\-seccomp_string\fR VALUE
String with kafel seccomp\-bpf policy (see kafel/)
.TP
\fB\-\-seccomp_log\fR
Use SECCOMP_FILTER_FLAG_LOG. Log all actions except SECCOMP_RET_ALLOW. Supported since kernel version 4.14
.TP
\fB\-\-cgroup_mem_max\fR VALUE
Maximum number of bytes to use in the group (default: '0' \- disabled)
.TP
\fB\-\-cgroup_mem_memsw_max\fR VALUE
Maximum number of memory+Swap bytes to use in the group (default: '0' \- disabled)
.TP
\fB\-\-cgroup_mem_swap_max\fR VALUE
Maximum number of swap bytes to use in the group (default: '-1' \- disabled)
.TP
\fB\-\-cgroup_mem_mount\fR VALUE
Location of memory cgroup FS (default: '/sys/fs/cgroup/memory')
.TP
\fB\-\-cgroup_mem_parent\fR VALUE
Which pre\-existing memory cgroup to use as a parent (default: 'NSJAIL')
.TP
\fB\-\-cgroup_pids_max\fR VALUE
Maximum number of pids in a cgroup (default: '0' \- disabled)
.TP
\fB\-\-cgroup_pids_mount\fR VALUE
Location of pids cgroup FS (default: '/sys/fs/cgroup/pids')
.TP
\fB\-\-cgroup_pids_parent\fR VALUE
Which pre\-existing pids cgroup to use as a parent (default: 'NSJAIL')
.TP
\fB\-\-cgroup_net_cls_classid\fR VALUE
Class identifier of network packets in the group (default: '0' \- disabled)
.TP
\fB\-\-cgroup_net_cls_mount\fR VALUE
Location of net_cls cgroup FS (default: '/sys/fs/cgroup/net_cls')
.TP
\fB\-\-cgroup_net_cls_parent\fR VALUE
Which pre\-existing net_cls cgroup to use as a parent (default: 'NSJAIL')
.TP
\fB\-\-cgroup_cpu_ms_per_sec\fR VALUE
Number of milliseconds of CPU time per second that the process group can use (default: '0' - no limit)
.TP
\fB\-\-cgroup_cpu_mount\fR VALUE
Location of cpu cgroup FS (default: '/sys/fs/cgroup/net_cls')
.TP
\fB\-\-cgroup_cpu_parent\fR VALUE
Which pre-existing cpu cgroup to use as a parent (default: 'NSJAIL')
.TP
\fB\-\-cgroupv2_mount\fR VALUE
Location of cgroup v2 directory (default: '/sys/fs/cgroup')
.TP
\fB\-\-use_cgroupv2\fR
Use cgroup v2
.TP
\fB\-\-iface_no_lo\fR
Don't bring the 'lo' interface up
.TP
\fB\-\-iface_own\fR VALUE
Move this existing network interface into the new NET namespace. Can be specified multiple times
.TP
\fB\-\-macvlan_iface\fR|\fB\-I\fR VALUE
Interface which will be cloned (MACVLAN) and put inside the subprocess' namespace as 'vs'
.TP
\fB\-\-macvlan_vs_ip\fR VALUE
IP of the 'vs' interface (e.g. "192.168.0.1")
.TP
\fB\-\-macvlan_vs_nm\fR VALUE
Netmask of the 'vs' interface (e.g. "255.255.255.0")
.TP
\fB\-\-macvlan_vs_gw\fR VALUE
Default GW for the 'vs' interface (e.g. "192.168.0.1")
.TP
\fB\-\-macvlan_vs_ma\fR VALUE
MAC-address of the 'vs' interface (e.g. "ba:ad:ba:be:45:00")
\"
.SH Examples
.PP
Wait on a port 31337 for connections, and run /bin/sh:
.IP
nsjail \-Ml \-\-port 31337 \-\-chroot / \-\- /bin/sh \-i
.PP
Re\-run echo command as a sub\-process:
.IP
nsjail \-Mr \-\-chroot / \-\- /bin/echo "ABC"
.PP
Run echo command once only, as a sub\-process:
.IP
nsjail \-Mo \-\-chroot / \-\- /bin/echo "ABC"
.PP
Execute echo command directly, without a supervising process:
.IP
nsjail \-Me \-\-chroot / \-\-disable_proc \-\- /bin/echo "ABC"
\"
|
